On 29-04-16 19:12, 神明達哉 wrote: > At Fri, 29 Apr 2016 10:09:30 +0200, > Matthijs Mekking <matth...@pletterpet.nl> wrote: > >>>> - I don't see why setting the CD bit is an indication that NSEC(3) >>>> aggressive usage should not be used. Could you elaborate on that? >> >> I am still hoping that someone could response to this :) > > Specifically where in draft-fujiwara-dnsop-nsec-aggressiveuse-03 are > you referring to?
Section 5.1. Specifically I think that the CD bit signals to disable signature validation in a security-aware name server (but does not prevent it from happening anyways), but that does not disable answering already validated data from its cache. Best regards, Matthijs > > -- > JINMEI, Tatuya > _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop